Stuxnet: Can an act of digital terrorism be justified?

At the beginning of last year, Iran’s uranium enrichment facility near Nantanz started replacing centrifuges 20 times more frequently than the expected rate. The inspectors with the International Atomic Energy Agency didn’t have any idea why at the time, and weren’t even allowed to ask, according to their report.

What they didn’t know was that the facility was under attack from one of the most pernicious pieces of malware ever to come down the pike. Stuxnet took advantage of a vulnerability in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows, to infect as many machines as it could, like most computer viruses. But there were marked differences between Stuxnet and most other malware.

Stuxnet used zero-day exploits, which is rare among this type of software. A zero-day vulnerability is one that the manufacturer has yet to discover, so when a hacker distributes an exploit, it’s before the first day the manufacturer can take any protective measures. Literally one piece of malware in a million uses such an exploit. Stuxnet used four of them.

And Stuxnet was written to specifically target the exact version of a Siemens programmable logic controller (PLC) that was being used primarily in facilities such as the one in Nantanz. If it did not detect the PLC in the computer, Stuxnet would pass itself on and then render itself inert.

Over half of the reported Stuxnet attacks were on computers in Iran. Further, it would monitor the rotational frequency of any motors controlled by the computer, and only messed with their speeds if they were within a certain range that would include nuclear centrifuges.

So, we have a highly sophisticated piece of malware that used an unprecedented number of zero-day exploits to get where it wanted to go, and only damaged certain pieces of hardware once it got there. It seems as if the creators of Stuxnet were using the vast resources available to them solely to slow down the alleged Iranian nuclear weapons program.

Siemens stated that the worm has not caused any damage to its customers, but that the Iranian nuclear program, which uses embargoed Siemens equipment procured clandestinely, was severely damaged.

What Stuxnet did was to spin the centrifuges a lot faster than normal, then rapidly slow them down, then return them to a normal spin, all so quickly that the equipment was placed under serious stress and became unbalanced. This process was repeated in rapid succession until the equipment broke, which happened a lot, to judge from how many centrifuges are being replaced.

Iran is still trying to figure out how to get the rootkit out of its network. It’s safe to say that their nuclear program has been seriously affected.

The accusations are flying now that Iran has figured out what happened. They of course think the United States had something to do with it, and a report by Kaspersky Lab states that it’s unlikely that such a sophisticated attack could have been created and delivered without state support. Common sense would tell you that this is not a high school hack.

There is even the possibility that Siemens itself was involved, since the targeting was so precise against the company’s equipment.

But nobody knows for sure. France and Israel have been named by some as possible suspects. In fact, Iran is even unsure how Stuxnet got into its network. Some suggested it was carried in on key drives belonging to Russian contractors. Another possibility is that the worm replicated into the network from an unsecured educational server.

But let’s say, for the sake of argument, the United States was behind the attack. Stopping the Iranian nuclear weapons program is a goal worth achieving, but at what cost? Is using malware to gain access to a victim’s computer always wrong, no matter what the objective or outcome? Even if you consider the relatively few computers in other countries (that were running other kinds of motors for other purposes) acceptable losses, is this a weapon that we should stoop to deploy?

As the prospects of cyber conflicts grow, these are questions worth considering.

About the Author

Greg Crowe is a former GCN staff writer who covered mobile technology.

inside gcn

Reader Comments

Thu, Jul 21, 2011
bandit

The thing that indicates Stuxnet was state-sponsored is the knowledge of the exact configuration of the embedded controllers - the exact PLC's with the exact code.
Everything else (the actual creation of the use of the PC as the attack vector and the reprogramming of the PLC's) is simply good engineering - the team could be put together in a few days.
What makes this unique (other than the gathering of the information), was the use of a PC as an attack vector on an embedded control system.
The best definition of terrorism I have seen is attacks that target non-combatants. (This is not intended to start a flame war over civilians as "collateral damage".)
I am not trying to duck the question, but if one nation-state attacks another nation-state, that is war, decelerated or not.
Technically - it was a brilliant hack. It also shows the danger of being able to re-programming an embedded control system without an overt act by a human, such as connecting a special cable.

Wed, Jul 20, 2011
Hampton DeJarnette

Yes, the headline writer should be strongly rebuked. Asking "Can an act of digital terrorism be justified?" is underhanded because it invites only an answer of "yes" or "no" and slyly suckers the reader into labeling Stuxnet as an act of terrorism. I ask, what justification is there for labeling the Stuxnet program as terrorism?
Anyone who equates damaging - how many, maybe 100, even 1,000? - centrifuges with the deliberate murder of a randomly-chosen human being has a value system that is, to me, out of kilter, and I wonder if there exists a way that I could have a rational discussion with him.
I'm no example of high morality, and certainly no expert in morality, but-if you were forced to choose-which would you rather have for a neighbor: someone who destroyed several hundred thousand dollars worth of property, or someone who killed people at random?

Wed, Jul 20, 2011
Matt

Why are people so mad because the word terrorism was used? Look up the definition. Its an act of war when no war is declared. Just because its us doing it does not mean its not a terrorist act. If Iran had destroyed our nuclear program, we darn sure would say it was terrorism. Now as to if we should have done it, yes, in this case it may prevent future problems and nobody got hurt. But it was terrorism none the less. The question should be, can terrorism be good, like white hat hackers, perhaps this is white mask terrorists.

Tue, Jul 19, 2011

This article should be clearly marked as editorial comment. Unsupported statements such as "creators of Suxnet were using the vast resources . . .". How does the author know thhat the creators had "vast resources", or is that just his opinion?
How does the author know that Iran is still trying to get Suxnet out of their computers? Is he helping them?
How can anyone support Iran's pursuit of nuclear weapons in any way. A pariah nation, condemned by the UN is fair game for any action at all.
I am awe struck by the restraint shown in carefully targeting only their enrichment facilities and the level of effort to avoid collateral damage.
It is about time someone took effective action!

Tue, Jul 19, 2011

The best defense is a good offense. Never more true than in cyberspace.